I noticed that when I insert a thumbdrive, my system sets the owner of the files on said drive to owner "user" (being whatever user I'm logged in as) and the group to "root". So if I had a program with the setgid bit enabled on this thumbdrive, created from some other computer, wouldn't this allow the user to run this program with the privileges of the root group? And, in doing so, wouldn't this compromise security? Don't all users in the "root" group have superuser privileges?

Or, would the system simply ignore any setuid/setgid for any files located on the drive? Speaking of which, I'm wondering where the system is storing file permission data for these files in the first place, especially for NTFS volumes (I have a dual boot setup with either Windows or Linux), obviously windows isn't setting aside place for them! I suppose what I'm trying to ask is, are these attributes stored in the file record themselves or in some type of central repository that determines what permissions each file has.

"As I did 20 years ago, I still fervently believe that the only way to make software secure, reliable, and fast is to make it small. Fight Features."

are these attributes stored in the file record themselves or in some type of central repository that determines what permissions each file has

AFAIK, your system determines how it treats anything it mounts. A good place to see this is in the /etc/fstab, which should be present across all Linux distributions. There's absolutely no respect by the local system for files created by the root user of another system--you can change and wipe them as easily as if you yourself owned them.

I'm no expert in the fstab, never had much of an inclination to learn the ins and outs, but therein is your answer. It lists who can mount what and when. And I think what happens is that if you're attempting to mount something that is not present in the fstab, you need super-user permissions, which is likely where the "root" group comes into play.

Hopefully that helps, don't take anything I say as gospel but I think this will point you in the right direction.

"I'm going to get into your sister. I'm going to get my hands on your daughter." ~Gatito

The answer to your question is no, this is not a security risk. Even if the program belonged to "root", the program will still have to be executed by "root" to obtain those privileges. Otherwise the program will only execute with the privileges that pertain to the user who executed it.

"The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable." - Sun Tzu